Skip to content

Control 2.1: Managed Environments

Overview

Control ID: 2.1 Control Name: Managed Environments Regulatory Reference: FINRA 4511, SEC 17a-4, GLBA 501(b), SOX 302 Setup Time: 30-45 min per environment

Purpose

Enable premium governance capabilities for Power Platform environments by designating them as Managed Environments. This provides enhanced control over sharing, solution deployment, usage monitoring, and maker onboarding - essential for financial services organizations enforcing governance at the environment level.

Description

Managed Environments provide premium governance capabilities for Power Platform environments, enabling centralized control over sharing, solution deployment, usage insights, and maker onboarding. In FSI organizations, Managed Environments are essential for enforcing governance policies at the environment level.

See Managed Environments overview for detailed capabilities.

Key Capabilities

When an environment is managed, administrators gain access to enhanced governance features. Microsoft documentation lists 23 distinct capabilities for Managed Environments (Source):

Capability Description FSI Relevance
Manage sharing Limit how widely apps, flows, and agents can be shared Prevents oversharing of sensitive tools
Solution checker enforcement Block/warn on solution imports with security issues Ensures code quality and security
Usage insights Weekly digest of top apps and flows Adoption monitoring and shadow AI detection
Maker welcome content Custom onboarding guidance for makers Policy communication and training
Data policies View and enforce active DLP policies Data boundary enforcement

Full Capabilities Reference (23 Features)

The complete list of Managed Environment capabilities includes:

Core Governance:

# Capability Description
1 Environment groups Group environments for policy inheritance
2 Limit sharing Control app/flow/agent sharing scope
3 Weekly usage insights Automated digest of top resources
4 Data policies DLP policy enforcement and visibility
5 Pipelines in Power Platform ALM deployment pipelines
6 Maker welcome content Custom onboarding for makers
7 Solution checker Code quality enforcement at import
8 Default environment routing Route makers to governed environments
9 Administer the catalog Manage approved components
10 Control which apps are allowed App allowlisting

Security & Compliance:

# Capability Description
11 IP Firewall Restrict environment access by IP address
12 IP cookie binding Prevent session token theft
13 Customer Managed Key (CMK) Encrypt data with your own keys
14 Lockbox Control Microsoft support access
15 Virtual Network support Private network connectivity
16 Configure auditing for environment Enhanced audit configuration
17 Create and manage masking rules Data masking for sensitive fields
18 Conditional access on individual apps App-level CA policies

Advanced Features:

# Capability Description
19 Extended backup Longer backup retention
20 Data policies for desktop flow RPA-specific DLP
21 Export data to Azure Application Insights Telemetry integration
22 Create app description with Copilot AI-assisted documentation
23 System administration capabilities Enhanced admin controls

FSI Priority Features

For regulated financial services, prioritize: IP Firewall, VNet support, CMK, Lockbox, data masking, and enhanced auditing. These features address common examination expectations around data protection and access control.

Prerequisites

Primary Owner Admin Role: Power Platform Administrator (Entra ID role) Supporting Roles: Environment Admin; Dataverse System Administrator (only if Dataverse is enabled)

Licenses Required

Managed Environments are enabled as an admin setting in PPAC and do not require a standalone “Managed Environment license” to toggle on. Users still need the appropriate product licenses to create/run apps, flows, and agents in the environment (and Dataverse capacity if Dataverse-backed capabilities are used).

License / Capability Purpose Required For
Power Apps (Premium) Build/run apps using premium capabilities/connectors Makers/users as applicable to the app design
Power Automate Premium Premium flow capabilities/connectors Flows using premium connectors or advanced capabilities
Copilot Studio Agent creation and operation Building and running agents in Copilot Studio
Microsoft Purview Audit (tenant feature) Evidence capture for admin actions (audit logs) Evidence-grade verification (recommended)

Permissions Required

Role Purpose Assignment Method
Power Platform Administrator Full admin access Entra ID / M365 Admin
Environment Admin Environment-level admin PPAC assignment
System Administrator Dataverse admin Security role in environment

Important - Admin Self-Elevation Required: Power Platform administrators must now self-elevate to the System Administrator role within each environment to perform environment-level operations. This is no longer automatic. See Manage high-privileged admin roles for details.

Dependencies

Dependency Description Verification
Environment created Target environment exists Check PPAC → Environments
DLP policies Data policies defined Check PPAC → Data policies
Environment groups Optional but recommended Check PPAC → Environment groups
Environment region (US-only) Environment must be hosted in a United States region/data geo Check PPAC → Environment → Details → Region
Audit/evidence access (recommended) Ability to capture admin changes and retain evidence artifacts Confirm access to tenant audit logs and screenshot repository

Pre-Setup Checklist

  • [ ] Target environment(s) identified
  • [ ] Governance tier classification determined
  • [ ] Confirm environment region is United States (US-only requirement)
  • [ ] Confirm makers/users have appropriate product licensing for intended workloads
  • [ ] DLP policies created and ready to apply
  • [ ] Maker welcome content drafted
  • [ ] Solution checker requirements documented
  • [ ] Identify evidence storage location (ticketing system attachment, SharePoint, or GRC repository) and naming convention

Governance Levels

Level 1 - Baseline

Setting Configuration
Managed Environment Enabled for all non-personal environments
Manage sharing Default (no limits)
Solution checker None
Usage insights Disabled

Minimum requirements:

  • Enable Managed Environment status
  • Document environment classification
Setting Configuration
Managed Environment Enabled for all non-personal environments
Manage sharing Limits configured per resource type
Solution checker Warn
Usage insights Enabled with weekly digest
Maker welcome content Governance policy summary

FSI recommendations:

  • Configure sharing limits for Copilot Studio agents
  • Enable usage insights for compliance monitoring
  • Add maker welcome content with policy links

Level 4 - Regulated/High-Risk

Setting Configuration
Managed Environment Mandatory for enterprise-managed environments
Manage sharing Strict limits (security groups only)
Solution checker Block (prevent non-compliant imports)
Usage insights Enabled with additional recipients (Compliance)
Maker welcome content Full governance policy with acknowledgment
Data policies Active DLP policies visible and enforced

FSI requirements:

  • Solution checker set to Block for production environments
  • Compliance team added to usage insights digest
  • Maker welcome content includes regulatory requirements

Setup & Configuration

Step 1: Navigate to Environment

  1. Open Power Platform Admin Center
  2. Select Environments in left navigation
  3. Click on the target environment name

Step 2: Access Managed Environment Settings

  1. Locate the Managed environments card on the environment page
  2. Click Edit managed environments link
  3. Or use toolbar button: Edit managed environments
  4. In the panel, set Managed environment to On (enabled)
  5. Leave the panel open to configure the settings below before saving

Step 3: Configure Sharing Limits

In the "Manage sharing" section, configure limits for each resource type:

Power Apps

  • Expand Power Apps section
  • Select: "Don't set limits" OR configure sharing restrictions

Power Automate

  • Expand Power Automate section
  • Configure flow sharing limits

Copilot Studio

Expand Copilot Studio section to configure agent sharing:

Editors:

  • ☑️/☐ "Let people grant Editor permissions when agents are shared"

Viewers:

  • ☑️/☐ "Let people grant Viewer permissions when agents are shared"
  • ☐ "Only share with individuals (no security groups)" - Prevents sharing with security groups
  • ☐ "Limit the number of viewers who can access each agent" - Set numeric limit

Governance Tier Recommendations:

Tier Editors Viewers Individuals Only Viewer Limit
Tier 1 ☐ Disabled ☐ Disabled N/A N/A
Tier 2 ☑️ Enabled ☑️ Enabled ☐ No No limit
Tier 3 ☐ Disabled ☑️ Enabled ☐ No Consider limit

Note

Sharing limits do not apply when agent authentication is set to "No authentication". Always enable authentication for shared/enterprise agents.

Note

Sharing limits govern Power Platform sharing for apps/flows/agents. They do not replace strong agent authentication and do not control access granted through any anonymous/public endpoint. For regulated use, avoid “No authentication” and validate controls with negative tests in ## Verification & Testing.

See Sharing limits for details.

Step 4: Configure Solution Checker

  1. Locate Solution checker enforcement section
  2. Set enforcement level using slider:
  3. None: No enforcement (personal productivity)
  4. Warn: Email notifications on issues (team collaboration)
  5. Block: Prevent import of solutions with issues (enterprise managed)
  6. Optionally configure excluded rules
  7. Enable email notifications: "Send emails only when a solution is blocked"

FSI Recommendation: Set to Block for enterprise-managed production environments to prevent deployment of solutions with security vulnerabilities.

Prerequisite note: Solution Checker enforcement requires a Dataverse-backed environment and solution import scenarios. If the environment does not use Dataverse/solutions, document “Not applicable” and rely on other governance controls (DLP, sharing limits, and change management).

Step 5: Enable Usage Insights

  1. Locate Usage insights section
  2. Check Include insights for this environment in the weekly email digest
  3. Check Add additional recipients for the weekly digest and add:
  4. Compliance Officer email
  5. Security Team distribution list

See Usage insights for details.

Step 6: Configure Maker Welcome Content

  1. Locate Maker welcome content section
  2. Enter governance guidance in Markdown or plain text (1500 character limit)
  3. Add Learn more link to full policy documentation
  4. Click See preview to verify formatting

Example content for a team collaboration environment: 

## Welcome to [Environment Name]

This is a **team collaboration environment**. Before creating agents:

- Review the Agent Governance Policy
- Complete required training
- All agents require manager approval before sharing

Contact governance@company.com for questions.

Step 7: Configure AI Features (Optional)

  1. Locate Enable AI-generated app descriptions (preview) section
  2. Enable/disable based on organization policy
  3. Review warning about potential inaccuracies

Step 8: Review Data Policies

  1. Locate Data policies section
  2. Select See active data policies for this environment
  3. Verify the expected DLP policy/policies are applied to this environment (record policy name(s))
  4. If policies are missing, assign them:
  5. PPAC → Data policies → open the policy → Environments → add/select the target environment → Save
  6. Capture evidence:
  7. Screenshot of the environment’s Data policies showing the active policy list
  8. Screenshot of the DLP policy Environments tab showing the environment assigned

Step 9: Save Configuration

  1. Review all settings
  2. Click Save to apply changes
  3. Verify settings are active by reopening the panel

Managed Environments complement Environment Groups and Environment Routing to ensure makers are routed into governed environments by default.

  1. PPAC → EnvironmentsEnvironment groups
  2. Create or open the target environment group (US-only scope)
  3. Add the managed environment(s) to the group
  4. Enable/configure environment routing per your standard in Control 2.15: Environment Routing
  5. Capture evidence:
  6. Screenshot of the environment group membership showing the managed environment included
  7. Screenshot of the environment routing configuration/rules used for routing makers

PowerShell Configuration

Connect to Power Platform

# Install Power Platform admin module
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force

# Connect to Power Platform
Add-PowerAppsAccount

# List all environments
Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName, IsDefault, EnvironmentType | Format-Table

Enable Managed Environment

# Get environment ID
$envName = "FSI-Production"
$env = Get-AdminPowerAppEnvironment | Where-Object { $_.DisplayName -eq $envName }

# Enable Managed Environment
# Note: Managed Environment enablement is primarily done through PPAC portal
# PowerShell can be used for querying and some settings

# Check if environment is managed
$envDetails = Get-AdminPowerAppEnvironment -EnvironmentName $env.EnvironmentName
Write-Host "Environment: $($envDetails.DisplayName)"
Write-Host "Governance/Protection Level: $($envDetails.Properties.protectionLevel)"

Configure Sharing Limits via API

# Use Power Platform Admin Connector or direct API for sharing limits
# Example using REST API pattern

$environmentId = $env.EnvironmentName
$tenantId = (Get-AzContext).Tenant.Id

# Get management settings
$uri = "https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/environments/$environmentId/governanceConfiguration?api-version=2021-04-01"

# Headers with bearer token
$headers = @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

# This would be the governance configuration - actual implementation requires OAuth token
# Refer to Power Platform Admin API documentation

Get Environment Governance Status

# Get all environments with governance status
$environments = Get-AdminPowerAppEnvironment

$envReport = $environments | ForEach-Object {
    [PSCustomObject]@{
        Name = $_.DisplayName
        Type = $_.EnvironmentType
        State = $_.States.Runtime
        IsManagedEnv = if ($_.Properties.protectionLevel -eq "Standard") { "No" } else { "Yes" }
        CreatedTime = $_.Properties.createdTime
    }
}

$envReport | Format-Table
$envReport | Export-Csv -Path "Environment-Governance-Report.csv" -NoTypeInformation

Export Managed Environment Configuration

# Export environment details for compliance documentation
function Export-ManagedEnvConfig {
    param([string]$EnvironmentName)

    $env = Get-AdminPowerAppEnvironment -EnvironmentName $EnvironmentName

    $config = [PSCustomObject]@{
        Name = $env.DisplayName
        EnvironmentId = $env.EnvironmentName
        Region = $env.Location
        Type = $env.EnvironmentType
        State = $env.States.Runtime
        CreatedDate = $env.Properties.createdTime
        CreatedBy = $env.Properties.createdBy.displayName
        ExportDate = Get-Date
    }

    $config | ConvertTo-Json | Out-File -FilePath "ManagedEnv-$EnvironmentName-Config.json"
    Write-Host "Exported configuration to ManagedEnv-$EnvironmentName-Config.json"
}

# Export all enterprise-managed environments
Get-AdminPowerAppEnvironment | Where-Object { $_.EnvironmentType -eq "Production" } | ForEach-Object {
    Export-ManagedEnvConfig -EnvironmentName $_.EnvironmentName
}

Monitor Environment Health

# Check environment capacity and status
$environments = Get-AdminPowerAppEnvironment

foreach ($env in $environments | Where-Object { $_.EnvironmentType -eq "Production" }) {
    Write-Host "`n=== $($env.DisplayName) ===" -ForegroundColor Cyan
    Write-Host "State: $($env.States.Runtime)"
    Write-Host "Type: $($env.EnvironmentType)"
    Write-Host "Has Dataverse: $($env.Properties.linkedEnvironmentMetadata -ne $null)"
}

Financial Sector Considerations

Regulatory Mapping

Regulation Managed Environment Feature Control Implementation
FINRA 4511 Usage insights Activity records for books and records
SEC 17a-4 Solution checker Change control for recordkeeping
GLBA 501(b) Sharing limits Protect customer information
SOX 302 Maker welcome content Policy acknowledgment documentation
OCC 2011-12 Solution checker (Block) Model validation enforcement

Governance Tier Managed Environment Settings

Setting Tier 1 Tier 2 Tier 3
Managed Environment Optional Recommended Required
Sharing Limits - Apps Unlimited 50 users Security groups only
Sharing Limits - Flows Unlimited 25 users Security groups only
Sharing Limits - Agents Unlimited 25 users Security groups only
Solution Checker None Warn Block
Usage Insights Optional Enabled Enabled + Compliance CC
Maker Welcome Optional Recommended Required with acknowledgment

FSI Example: Investment Firm Managed Environment

Organization: Regional Investment Management Firm
Environment: FSI-Client-Services-Prod

Managed Environment Configuration:
  Status: Enabled

  Sharing Controls:
    Power Apps: Security groups only
    Power Automate: Security groups only
    Copilot Studio: Security groups only
    Approved Groups:
      - sg-client-services-users
      - sg-compliance-reviewers

  Solution Checker:
    Enforcement: Block
    Validation: Critical and High severity items block import
    Exceptions: Documented exception process required

  Usage Insights:
    Enabled: Yes
    Recipients:
      - it-governance@firm.com
      - compliance@firm.com
    Frequency: Weekly

  Maker Welcome Content:
    Title: "Enterprise Managed Production Environment - Regulated"
    Content: |
      This is an enterprise-managed regulated environment.
      All solutions require governance approval.
      Client data is subject to SEC and FINRA regulations.
      Contact compliance@firm.com before publishing.
    Acknowledgment: Required

  Data Policies:
    Active Policies:
      - FSI-Block-Consumer-Connectors
      - FSI-Customer-Data-Protection

Regulatory Context

Primary Regulations: FINRA 4511, SEC 17a-4, GLBA 501(b), SOX 302

Regulation Managed Environment Support
FINRA 4511 Usage insights provide activity records for books and records
SEC 17a-4 Solution checker enforces change control for recordkeeping
GLBA 501(b) Sharing limits protect customer information
SOX 302 Maker welcome content documents policy acknowledgment

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Apply a baseline minimum of managed environments that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
  • Avoid expanding scope beyond the user’s own data unless explicitly justified.
  • Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

  • Apply enable managed environment governance controls for shared/production for shared agents and shared data sources; require an identified owner and an approval trail.
  • Validate configuration in a pilot environment before broader rollout; retain environment settings exports.
  • Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

  • Require the strictest configuration for managed environments and enforce it via policy where possible (not manual-only).
  • Treat changes as controlled (change ticket + documented testing); retain environment settings exports.
  • Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Retain an evidence pack per environment. Minimum recommended artifacts:

  • Screenshot: PPAC → Environment details showing Managed Environment = Yes
  • Screenshot: Edit managed environments panel showing configured settings (sharing limits, solution checker level, usage insights recipients)
  • Screenshot(s): Environment Data policies showing active DLP policy list
  • Screenshot(s) or export: DLP policy assignment (policy → Environments tab)
  • Email evidence (if enabled): Weekly Usage Insights digest received by intended recipients
  • Export (optional but recommended): PowerShell export JSON (environment config snapshot) and CSV inventory report
Step Action Expected Result Evidence Artifact
1 PPAC → Environments → open target environment Environment details displayed Screenshot (environment overview)
2 Confirm Managed environments card shows enabled Managed Environment = Yes Screenshot (card/overview)
3 Open Edit managed environments Settings panel opens Screenshot (panel header + toggles)
4 Verify Manage sharing limits for Power Apps/Power Automate/Copilot Studio Limits match governance tier Screenshot (sharing sections expanded)
5 Negative test: attempt to share an app/flow/agent beyond configured limit (or to a disallowed target) Share attempt blocked or constrained per config Screenshot of error/blocked UI + ticket note
6 If Dataverse/solutions are used: verify Solution checker enforcement level None/Warn/Block matches tier Screenshot (solution checker setting)
7 If Block: attempt to import a deliberately non-compliant solution (or a test solution with known checker findings) Import blocked; findings visible Screenshot of import failure + checker results
8 Verify Usage insights recipients Recipients listed as intended Screenshot (usage insights configuration)
9 Wait for weekly cycle; confirm digest delivery Digest received by intended recipients Saved email (message header + body)
10 If routing is used: test maker entry (create app/flow) from the routed experience Maker is routed to the governed environment Screenshot (routing prompt/result) + routing rules screenshot

Integration with Environment Groups

Managed Environments work with Environment Groups to provide layered governance:

Layer Controls Scope
Environment Groups Rules (sharing, channels, authentication) Multiple environments
Managed Environments Sharing limits, solution checker, usage insights Single environment

Best Practice: Use environment groups for broad policy enforcement across zones, and Managed Environment settings for environment-specific tuning.

Interaction Note: Environment group rules and Managed Environment settings work together. The more restrictive setting takes precedence.

Troubleshooting & Validation

Issue: Cannot Enable Managed Environment

Symptoms: Managed Environment option not available or fails

Solutions:

  1. Confirm you have the required admin role (Power Platform Administrator or Environment Admin)
  2. Confirm the environment is not in a locked/disabled state and has no pending operations
  3. If you are enabling features that depend on Dataverse (for example, Solution Checker enforcement), confirm Dataverse is provisioned/capacity is available
  4. Ensure environment is not in a locked/disabled state
  5. Check for any pending environment operations

Issue: Solution Checker Blocking Valid Solutions

Symptoms: Legitimate solutions blocked on import due to checker

Solutions:

  1. Review solution checker results for specific issues
  2. Address critical/high severity items before import
  3. If false positive, document and create exception
  4. Use "Warn" mode temporarily while fixing issues
  5. Contact Microsoft Support for persistent false positives

Issue: Usage Insights Not Arriving

Symptoms: Weekly usage digest emails not received

Solutions:

  1. Verify email addresses are correctly configured
  2. Check spam/junk folders for digest emails
  3. Confirm environment has active usage (empty envs don't send)
  4. Wait one week - digests are weekly, not immediate
  5. Verify environment is still marked as Managed

Issue: Sharing Limits Not Enforcing

Symptoms: Users can share beyond configured limits

Solutions:

  1. Verify settings were saved (reopen panel to confirm)
  2. Check if user is Environment Admin (admins bypass limits)
  3. Confirm limits are set for correct resource type
  4. Wait for settings propagation (can take up to 1 hour)
  5. Check for conflicting environment group rules

Issue: Maker Welcome Content Not Displaying

Symptoms: Makers don't see welcome content on environment access

Solutions:

  1. Verify content was saved successfully
  2. Confirm maker is accessing environment for first time
  3. Check if browser is blocking popups
  4. Test with different user account
  5. Verify environment is correctly marked as Managed

Additional Resources

Control Relationship
Control 2.2: Environment Groups Group-level governance rules
Control 2.15: Environment Routing Automatic maker placement
Control 1.4: Advanced Connector Policies Data policies
Control 2.3: Change Management Solution deployment controls

Support & Questions

For implementation support or questions about this control, contact:

  • Power Platform Administrator: Environment configuration
  • IT Governance: Sharing limit policies
  • Compliance Officer: Regulatory requirements
  • AI Governance Lead: Agent-specific settings

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification